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(54) Title: SECURE PROXY SIGNING DEVICE AND METHOD FOR USE 
(57) Abstract 

A secure proxy signing device for producing digital signa- 
tures of documents and supplying the digital signatures over an 
insecure network provides security measures against a phony doc- 
ument hash being presented by an impersonator of a user to the 
signing device for forming the digital signature on behalf of the 
user. In the user equipment there is formed a first data item Ii 
which is an encrypted hash of the document to be signed and 
a second data item h which is formed by hashing together the 
document hash (Ho), a random number (RN) received from the 
signing device, and user identifying data (U) which is obtained 
from a physically present user. The first and second data items are 
received by the signing which decrypts the first data item to deter- 
mine the document hash (Ho), forms a derived second , data item 
by hashing together the determined document hash (Ho), stored 
last generated random number RN, and user identifying data (U), 
and comparing this derived data item with the received second 
data item \%, If the compared items are the same, the determined 
document hash is authenticated, and it is encrypted with the stored 
user's private key to form the digital signature (DS). 
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Secure proxy signing device and method of use. 



BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to secure proxy signing devices for forming and supplying digital 
signatures over a network on behalf of users so that private keys are never extant at user 
equipment which is not secure, and to methods of using, and systems employing, such devices. 

s. 

2. Description of the Related Art ' * t 

Digital signatures are generally produced by encrypting a hash of a document with the private 
key of a public key/ private key pair unique to the user (generated e.g. by RSA or El Gamal 
algorithms) to manifest the user's approval of the document The term "document" is used 
throughout this application to indicate or include any digital data, program, or file or a 
plurality or combination thereof. A hash is produced by applying a secure hash function (such 
as SHA-1 or RIPEMD) to reduce such data to a bit string of a fixed predetermined" length (e.g. 
1 60 bits if SHA- 1 is used). A person having both a document and an associated digital 
signature can verify these items by comparing the result of decrypting the digital signature 
using the public key of the user with the result of hashing the document using the secure hash 
function. Such verification depends on the assumption that the private key is secret and is 
only known or used by or qn behalf of the user. Yet if a private key is stored or eveji 
temporarily extant at user equipment .such as a personal computer connected to an insecure 
network such as the Internet, there is*he risk that a malicious program could be planted in the 
PC which would extract keys and send them over the network to an unscrupulous person. 
To avoid this risk, it has been propqsed to form the digital signature in a user's smartcard 
/placed in ^smartcard reader.associated with the user's equipment. The smartcard is a secure ■ 
proxy signing device because* it uses a private key which never leaves the card. However, a 
hash of the document to be signed has to be presented to the smartcard in order for. the 
smartcard to form the digital signature. This need to present the document hash to the 
smartcard raises the risk, particularly in systems where there is an insecure link between tiie 
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process in which the hash is. generated and the smartczurd, that a phony document hash could 
be presented tq the smartcard by an impersonator for si^i^ture f on behalf of a user.. 
For example, if the document hash is generated by a Ja^a (a trademark of Sun Miprosystems 
Inc.) applet running on user equipment under a browser, such an applet, process cannot access 
5 local disks or local I/O. Therefore, the smartcard reader, cannot be accessed directly from the 
applet process j and consequently, communication between the applet process and a 
background process communicating with the smartcard must take place by server echoing via 
the in^epjure network. Such communicatiorv;would thereby be exposed to an eavesdropper 
l mpnitojpng the insecure network, and the smartpard would be vulnerable to being spoofed by 

10 presentation to it of a phony document hash, for example, in a block replay attack where 
previous authentic communications to, the smartcard, or portions thereof, sure replayed. 
Another approach to avoiding the risk of key -extraction from insecure user equipment is 
described in U.S. Patent No. 5,208,858 wherein the private keys of all users sure stored and 
maintained at a server functioning as a proxy, signing device. _ Therein,, a hash of the approved 

1 5 , f document is sent from, the user equipment to the server via.the network. At the server, the 
r . - received hash is encrypted with tiie.-usefs private key available at the server to form a digital 
signature which is combined with the user's public key and further data to form a so-called 
certificate which is transmitted to the user equipment for checking. At the user equipment, the 
result of decrypting the signature with the ; user!s . public key is compared with the document 

20 hash which was sent. If the compared item? are the same, the document ai\d the signature- 
containing certificate may be sent directly from the user, equipment to the desired recipients. 
The method of U.S . Patent No. 5,208,858 has the drawback of the need to send the^igital 
signature back to the originator for checking and also that toe-server must be located in a 
highly secure place because the private keys are stored therein 4n the clear (or at least in a form 

25 from, which they can be derived by x the seryer). It should be noted that the consequences of a 
^person of malevolent intent compromising the server and obtaining, the stored private keys are 
catastrophic, potentially rendering unreliable all digital signatures made with the system at any 
time. Further, in this known method it appears tjiat the, server could be tricked by a block- 
~ replay attack or a man-in-the-middle attack into signing a document which did not originate 

30_. from the user on behalf of whom the signature is sought, or signing unauthorized duplicates of 
authentic documents. , - ; 

SUMMARY QF THE ttWENTION . nK , . . , r . v> , , . _ 
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It is a general object of the present invention to provide a secure proxy signing device, and a 
system and method for using such a device, to form digital signatures which are supplied over 

an insecure network; such as- the Internet, which provides securit^measuresdirected against 
; the possibility Oat i£He proxy sigriirig device is presented try an impersonator of the user with 
: " 5 an iihauthenticr ddfciurient hash : for signature via the network. If is a further object" of the 

present invention that the security measures guard agairist block-replay and man-in-the-middle 

•attacks. '■*-.: - - r . b : * rv * Jt r " — - 1 - 

Briefly, the afdrementiohed arid dtKSF objects are satisfied by providing a proxy signing device 
for forming a digital signature of a document iiiing a private key stored within die Signing 

10 1 : device arid data iteriis supplied tcrtlfe signing device'frofai wliicti'a hash of the dddument is 
derived and aifthenticatiski by means Wrfhiri tiie signing device. Said signing device further 
' comprises means for ericrypting-ffie dofchfaiem hash' with the private key to form the digital 
signature only if the document hash has been autlienticat&di The invention is further 
characterized in that said 7 irieans for deriving arid fcu&ferififiatmg thb document hash is 

15 - configured for authenticating a dOTV<^^ocii£fcerit ^tiashWa roriditibn that first data derived at 
least in part from* one of said^dati iteriisHs iJie sbm6 a& secorid data equal to or derived from 
another of said data ltemS;--- ' > y -* v :j ;% — :t.*v/ - -7;<v • .u ^ - 
More particularly, the proxy signing dewc£ r cbiri^rises'a random number generator, and the 
first data is derived fronra' tombiriatibri 6f the'Serived dodiiment hash, a number Stored in the 

20 proxy signing device which w&T^evibiisly-g^Sated by therandom number generator and 

■~ * r communicated to the signing ddvice/md user Mot data stored in the signing 3 device and 

s ; ■ . only obtainable at the user equipihetit by ifiterabtibn with a physically present user, such as a 
password or passphrase entered by the user 6r trtoirietrib data (hash of a fingerprint, voiceprint, 

- ; retina scan, or face scan)' iiieasurSd or scariried^iri the physically jpresent user. : 

25 By providing for authenticatidh in 1he proxy signing device aridby Mzfleirig one of the plural 
; data items provided to the signing device depend oh a random number previously generated by 
the signing device solely for xise^ki cbnj unction with obtaining the current digital signature, 
high immunity is provided against the signing device being spoofed by a block replay of 
presentations of variations of previous communications withf tftie signing device, or by a man- 

30- : in-the-middle attack. Further; the use in the authentication process of user identifying data 
which could only have been obtained by interaction with a physically present user at the user 
equipment provides high immunity against impersonation of the user. 

Also, in accordance with the present invention, user apparatus is provided for cooperating with 
a proxy signing device via a communication path-including a network for forming a digital 
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signature of a user to whom is assigned a private key/public key. ' The user apparatus 
comprises user interaction means for a user to indicate approval of a document, computation 
- means configured for forming first and second data items to be provided to the sighing device 
via the communication path, said first data item being derived from a hash of the approved 
5 document, and said second data item being derived from a combination including said hash of 
the approved document.and a random number. computed by the signing device. The apparatus 
• is also characterized in that the user interaction means i*s^ 
identifying information from the user (password or passphrase or biometric information such 
as fingerprint, voiceprint, retina scan, face scan) and in that the combination from which the 
10 second data item is derived further comprises "u^er identifying data derived from the obtained 
user identifying information. Also, the second data item is derived from said' combination by 
- hashing together --the Sterns of said combination. - ^ \ r , v ; , . . ■ 
- * • The present invention also comprises a method fof forming arid supplying a digital signature 
of a u£er of a document comprising generating a random number in a signing device, 
1 5 supplying the random number to user eqtiipment, and forming in the user equipment a first 
data item derived from a hash'of thedocumertt and a second data item r derived from a* 
- combination including said hash of the document and said random number. The inventive 
method fiirther comprises authenticating in the signing device a hash of the document derived 
from said first data item if data derived by the signing device from the combination including 
20 r the derived hash of the approved document arid a previously generated random number stored 

' in the signing device equals data 'derived from said second data item, and if the derived 
/ document hash is authenticated,: encrypting the derived document hash in the'signitig device 
>■ - ' with a private key of the user Stored in the^signing device and sending the digital sf^ 

•\from the signing device yia the network to a recipient device: AAother aspect of the inventive 
25 method is that user identifying data which is derived from user identifying information 

obtained from a user physically present at the user equipment forms pari of the combination 
1 *~from which the second data is derived; and that the lisef identifying ihforination is stored in the 
? sighing device 2nd used by it in the authentication' process. r ' : ' ■ : 

Other objects, features and advantages of the present invention will become apparent upon 
3 0 perusal of the following detailed description when taken in conj unction with the 1 appended 
drawing, wherein: - ; *-w . : .i ; . . . - ;. v ;.: . .-t 

«> : v.i i ■ : * . * \ : . c;; r . f ; v- " " : 

, BRIEF DESCRIPTION OF THE PR AWTNR - : - "* : ^* > 
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. figure 1 is ; a schematic diagram of an exemplary system, in accordance with the present 
invention forutilizing a smartcard for digitally signing a document; and 
.Figure .2 is;a data flow chart: which indicates inr.three separate columns the method:steps 
» - t .performed by different portions of the system of Figure 2. : . r 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS i. > . . 
■ : . , It should b,e understood that; while thepresent invention is discussed' hereinafter in terms of an 
r .exemplary; system and method for producing digitally signed documents by users over the 
; , ( Internet using a smartqard as a secure proxy signing device for ari individual user, the 
10 _ -principles of the present invention are equally applicable to use of other proxy signing devices, 
„ : : / such as proxy signing servers for producing digital signatures on behalf of a plurality of users, 
and to the production of digital signatures of a -variety of data, programs, or frlesy or other 
. '^ocumente'^ whether originated, mo 

digital signature may be thought of-as manifesting ran #pprpMal by ..the user of a document. The 
1 5 principles of the invention are also , applicable to^ various systems and methods requiring 
; encryption in, a proxy device in \yhich pnejor morerprivate keys are maintained. ■ . 
. In the system (described herein, a private key/public; key pair,.ID (which may be the initials or 
, . . .name of the user, providing they are unique) and user identifying data U consisting o£a 

: password, passphrase or a hash thereof, or^data-deriyed from.biometric information^ 
20 (fingerprint, yoiceprint, retina §c^n, or Jface scan)* such, as by hashing, are associated* with each 
, user. The public/private kpy pair f for pach user is^preferably RSA^ although 1 these key pairs 
> may be implemented pursuant to any public Jcey cryptosy stem including EI Gamal and those 
based on elliptic curve : cryptography; The encryption/decryption algorithms employed in such 

, : systems^are referred to as symmetric, because differentjceys are employed for encryption and 

_> 

25, decryption. -. » • ■ - a • {;• . . e \- . . t ..j S i 

A passphrase consists of a fanciful series of words.* It is very difficult.to guess passphrases as 
opposed to passwords as ther$ are many possible phrases. For example, a piarticularly good 
passphrase may concatenate two phrases which are in different .languages. Guessing such a 
. passphrase, would be extremely difficult using normally available computer power. Similarly, 

30 , biometric information is quite unique and immune to a , guessing attack. 

Referring first to Figure 1, the exemplary system 10 in accordance with the present invention 
comprises a plurality of computer stations, terminals or other portable or desktop user 
computing and/or communication equipment, of which one u§er equipment 12 is illustrated, 
which are interconnected to or capable of communicating with a server 14 via a network 1 6. 
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Server 14 is preferably a web server and . network-16 may be. theJnteniet or an intranet 
supporting TCP/IP. User equipment 12 has user interaction 122 such as :a mouse and 
keyboard for receiving input from a user 20 of provides; by biometric information (fingerprint, 
voiceprint, retina scan, or face scan) by measurement or scanning of a physically present user 
in order for user identifying data U to be derived. Us^interactioirmearis; 122 communicates 
with a foreground: process or front end 124, in geheral:a web browser carried on by a 
multitasking processor (not shown) of user equipment 12. Foreground process communicates 
with network 16 which is not secure, and ultimately; server 16, via a wired or wireless link 22 
between user equipment 12 and network 16: -Further, a smartcard reader 126 associated with 
user equipment 12 is configured for coupling to the user's smartcard 18 for communication 
therewith, and is controlled by f a background process or back end 1 28 of the* usdr equipment 
which also routes communication to and from smartcard 18 io network 16, and ultimately 
.server 14, via link 22.- ; :* .-. r < ; ..i v.y.^n'--.- :~v ..; . • . 

Foreground process 124 is controlled by execution of a Java applet which is sent from server 
14 to user equipment along with a blank document Do (which may be integrated in the Applet) 
when the document system of the;server is accessed. - The applet implements hashing means 
and encryption means functions 124a, 124b; respectively and other mathematical functions 
necessary to form the data mentioned^hfereiri as- being formed by foreground process 124, as 
well as handling the communication $vith user interaction means 122 as the user 20 fills out or 
. completes the document; , When the r document has been filledout and approved by the ulser so 
as to constitute an approved document Df, the applet causes;the latter to be sent to server 16. 
As previously mentioned, the Java applet running under a browser cannot access smartcard 
reader 126 or background process ,128,thereby necessitating that all communication between 
the ; foreground and background processes 124, 128 take place by server echoing; For 
example, data isisent from the foreground process to the background-process by the circuitous 
route of the foreground process sending* the dataio the* server arid the server sending the data 
to the background process. Since this insecure. routfe exposes the communication to and from 
smartcard 18 to being recorded and replayed by a malicious pereon monitoring the network, 
security measures are taken including the provision of a random number generator 1 82 and an 
authentication means 188; in the smartcard 18 and the generation of a -second data item h by 
foreground process i24 which is a function of the generated randorh number RN arid is used 
by the authentication mearis 188 of smartcard 18 to ^ determine whether or not a dbcument hash 
.Ho derived from a first data item I] presented to the smartcard is authentic. 
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Random>number.gehferator. 4 82 ispreferably, a true random source using a noisy natural 
.< phenomenon. A suitable source ds a noisy reverse biased zerier diode which produces shot 
unoise in its current flow, and the random number leifgthis preferably chosen to be 256 bits in 
length, although a length of 128 bitsis also ^safcle. 
5 In the applet controlled foreground process 124, hashing m^aife 124a is used to apply a secure 
hashfunction (SHA- 1 or RIEEMD) to a fHled-in document D f (Or other/approved document) 
to form Ho , which is then encrypted by an asymmetric algorithm such as RS A, with the public 
key of the user to ; form the first data item l\u Hashing ^means 1 8' is also used in forming a 
. second data item I2 by hashing 
10 random number generator 182 of smartcard 18 arid communicated to foreground process 124, 
i and user identifying data U consisting tof ^password/ passphrase (Or a hash thereof), or a hash 
of biometric information Thexandom numberRN had been communicated to foreground 
process 124 by server echoing in a manner which will be more fully explained liter. There are 
:many:techniques known, to those ;of ordinary skill in the art for hashing together a plurality of 
15 data items to form a data string of fixed length; any lof wjiich are suitable. 'A* sufficient 

. ; technique is applying a hash function to a concatenatiion oflhe data items to form a hash of at 
„ least. 128 bits in length (160 bits if SHArl is used).; - r v 

Smartcard 1 $ also includes a memory li84 fori storing at least thb most recently generated 
i : , random number RN, and the -user's private key ; aod user identifying data U (passWord^or 
20 passphrase or hash of biometric information), which has previously been loaded in a secure 
manner during a setup phase when the ismartcard was issued with a generated private key 
; assigned to the user and with the userfs identifying- data JJ derived froni4nformation entered by 
; th& user, in the case of a password .or passphrase, or,from information scanned or measured 
witb respect to the user, in the caSfe of biometric information; Further; an encryption means 
25 1&6 is included for-forming a? digital signature ©S tin a standard manner by ^encrypting a 
I . .document hash Ho wifo 

^ ; only t if document: hash Ho; is authenticated by the authentication rrieans 188; - • - * 

. Authentica-tionimeans ^SS includes a^decryption means 188a for decrypting the received first 
: data item j] using the private key of themser read from memory section 1 84b to derive 
30 document hash Ho„ and a hashing means 1 88b for applying the same "hashing together" 

operations; to the derived document hash Ho,:and the most recently generated random number 
- . RN- and the user identifying data;Uiread from memory 1 84 r as were applied by hash means 
124a. Authentication means J.88 also comprises a comparison means 188c fop comparing the 
"hashing together" result with the received second data item I2. If these items are equal, the 
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derived document hash Ho is considered authentic, i.e: having come from the user equipment 
12 of the user 20 with the assigned user being physically frreserit, and it is used by encryption 
means 186 to form the digital signature DS, which is' then sent td server 14 via network 16. 
Server 14 comprises an authentication means 142, including, as is typical for authenticating 
5 the digital signature DS received from smartcard 18, a decryption means 142a for decrypting 
DS to compute document hash Ho in one way,- hashing means 142b fbr applying the same 
secure hash functibri used by hashing means 1 24k ttf the filldd-ih dociiiitieht Df irebeived from 
foreground process 124 to r compute document hakh H6 in another way, and a comparison 
means for comparing the docuinerit hashes computed in these two ways. If they are the same 

1 0 the digital signature DS and filled-in document Df are considered verified. " 

Server 14 comprises a menlory 146 which may be or include RAM; ROM, a hard disk, or 
other memory or media. Menioify 146 dbntiaihs respective sections 146a-d, or fields in a data 
structiire, for storing user IDs, public keys; documents and associated digital signatures DS, 
respectively, for sill users, which are indexed or otherwise addressable or retrievable by ID, 

15 arid also a section 1 46e for storing one of more applets. In addition, an echo means 1 44 of the 
server 1 4 is used for enabling cbiiimunication between the foreground and background 
processes ; 12^, 128 6fiiser equipment 12. : v * ■ 1 / - 

The operation of the system shown in Figure 1 will be best understood by further reference to 
the flowchkrt of Figure 2. : Ak shown, the operation begins at block 40 with the user 20 

20 dausing, by input to user interaction means 122, a request to be sent from user equipment 12 to 
server 14 for access to the document system, and the server responding at block 42 to this 
request by sending a blank sign-in page to the user equipment. The usef thesn," at block 44, 
enters his ID in the* sign-in page vfauser interaction means' 122 which is sent by the user 
equipment 12 to the server 16, and the server responds a^block 46 by sending a blank 

25 document D 0 arid associated applet to the user equipment for controlling the foreground 

process 124. Thereafter, the completed document D f is formed and approved by the user at 
block 48 via user interaction means 122 and under the control of the applet. Tfte completed 
document Df thus formed in die foreground process 124 is hashed ai block 50 by the hashing 
means 124a functionality of the applet to form Hq. 

30 At block 52, which may occur earlier than as shown, foreground process li>4 requests a 

randorS number RN, which request is echoed by the server at block 56 so that it reaches the 
1 smartcard 18 'Via tfie J background process 128. In the smartcard^ at block 58,' generator 182 
' "generates a 'random number RN which is stored in memory section 184a and sent to the server 
via background process 128, and at block 60 is echoed by the server to foreground process 
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, ; , 124.„ Also, at feloc^; 54, which may also occur earlier than as shown, the, user identifying data 
U is obtained as r a result of interaction of user 20 with user interaction means 122. In 
. particular, the user ente?rs his password or passphrase or the user's bipmetric information is 
obtained by measuring or spanning with respect to the physically present user and is then 
5 hashed t to a fixed lenglh of,at least 1^8.bijs (160 bits if SHA-1 is used) so that the, user 
v , identifying data U is aya^able jtQ foreground. process 124^ , 

The second data item kis-forpi^d at block 62 by foreground process 124 hashing together 
document hash |iq, random number RN find user identifying data U to a fixed length of at least 
_ .128 bits ( 1 60 bits if SHA- \ is used). , Also the first data item J \ is fpimed at block 64, which 
10 may occur earli er than as sho^Yn, by encrypting document hash Hp using the public key of the 
, ■ - . user The public key of the user must be provided to foreground process 124 with a certificate 
from a trustworthy source in order to counter a man-in-the-middle attack. Preferably, the 
public key of the user and certificate are sent by the seiyer along with the blank dopument and 
; applet at block 46, although, alternatively, if the smartcard y/ere configured to. supply a 
: 15. v certificate from such a source, itcoulcHiave supplied the public Jcey of the user and certificate 
along with the generated random number at block .58 ? The first and second data items Ii , I2 are 
sent at block 66 by foregound procees 124 to.seryer 14 where they are echoed at block 68 to 
smartcard 18 via background process 128. ; ; . ^ ;**-- - r- : , 

In smartcard 18 f , at block 70 first data item 1 1 is decrypted by decryption ineans 188a|with the 
20 private key of the user to obtain the 4ocument hash Hp. Then at block 72, the obtained , v - 

document hash Ho, and the last computed random njumber f KN and user identifying data U read 
from memory 184 are gashed ..together by hashing means 188b to form a derived second data 
item I2 1 which at block 74 is compared byj comparison means 1 88c to the received second data 
item I2. If these items are the same, the derived document hash Ho is authenticated and at 
25 block 76, it is encrypted with the private keyof the user to form the digital signature DS, 
which is sent to the server 14 via ba^ckjground process 128./ * , 

Further, at some point after the filled-in document Df is formed in foreground process 128, in 
block 78 it is sent by the foreground prpcess to server 14. t i . . . 
At the server, the verification of the digital signature DS^and the approved document Df 
30 proceed in a conventional manner. The received approved document is hashed at block 80 by 
hashing means 142b, and the received digital signature DS is decrypted, at block 82 by 
decryption nrie^ns 142a, using the public key of the user. Then, the results of these operations 
are compared at block 84 by comparison means 142c. If the. compared items T are equal the 
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v, /•./:> 

approved document D f and digital signature DS are verified and are stored at block 86 in 
timecard storage sections 146c, 146d, repectively, of memory 146. 

It should now be appreciated that the objects of the invention have been satisfied. While the 
present invention has been described in particular detail, it should also be appreciated that 
numerous modifications are possible within the intended ' spirit and scope of the invention. 



25 
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WHAT IS CLAIMED IS: 



1 ; - » A digital^igning device (18) foi: forming a:digital signature of a document 
using at least one private key stored within the signing device (184b), said signing device 
comprising means (188) for using a plurality of data items supplied to the signing device to 
derive and authenticate a document hash, and means (186) for encrypting the derived 
5 document hash with the at least one stored private key (1 84b)to form the digital signature only 
if the derived document hash is authenticated. 

2. A digital signing device (1 8) as claimed in Claim 1 , wherein said hash deriving 
and authenticating means (1 88) is configured for authenticating a derived document hash on a 

10 condition that first data derived at least in part from one of said data items is the same as 
second data equal to or derived from another of said data items. 

3. A digital signing device (18) as claimed in Claim 2, wherein the device further 
comprises a random number generator(l 82), and the first data is also derived in part from a 

15 number stored in the device (184a) which was previously generated by the random number 
generator(182). 

4. A digital signing device (1 8) as claimed in Claim 2or Claim 3, wherein the 
device further has user identifying data stored therein(184c), and the first data is also derived 

20 . in part from the stored user identifying data. 

5. A digital signing device(18) as claimed in Claim 4,wherein the device further 
has user identifying data stored therein (184c), and the first data is also derived in part from 
the stored user identifying data. 



6. A digital signing device (1 8) as claimed in Claim 4 or Claim 5, wherein the user 
identifying data is derived from a passphrase or from biometric information; 
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7. • A digital signing device (18) as claimed in Claim >1, Claim! or Claim 3 

wherein the document hash is derived from said data by decrypting with said private key. 

& . User apparatus (1 2); for cooperating with a digital signing device (1 8) via a 

network (16) for forming a digital signature on behalf of a user (20) to whom is assigned a 
private key/pu]blic key pair, said apparatus comprising user interaction means (122) for a user 
to indicate approval of a document; computation means (124) configured for forming first and 
secpnd data items to be provided to the digital signing device via the network, said first data 
item being derived from a hash of the approved document, and said ^second data item being 
derived from a combination including said hash of the approved document and a random 
number previously computed by the signing device (18) and sent to the user equipment (12) 
via the network (16). , , ; - o- i:: , ( ; v - r 

9 - User apparatus (12) as claimed in Claim 8, wherein said combination further 

comprises user identifying data. 

I °- User apparatus (12) as claimed in Claim 9, wherein said user identifiable data is 
derived from a passphrase or from biometric information of the user. 

I I • Apparatus (12) as claimed in Claim 8, wherein the second data item is derived 
from said combination by hashing together the items of said combination. 

1 2 - A method of forming and supplying a digital signature of a user comprising: 

receiving in user equipment (12) frorh a server (14) via a network a document 
to be approved; 

generating a random number (58) in a signing device (18) and supplying the 
random number to the user equipment (12); 

forming in the user equipment (12) a first data item (64) derived from a hash of 
the approved document and a second data (62) item derived from a combination including said 
hash of the approved document and said random number; 

authenticating (72) in the signing device (18) a hash of the approved document 
derived from said first data item if data derived (72) by the signing device from the 
combination including the derived hash of the approved document and a previously generated 
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, random liumber stored in the signing device equals data derived from said second data item; 
and ■'■j f «*:.' . ""v ■. . r i. * r a . *t ';"*..■ : v 

if the derived document hash is authenticated: encrypting the derived 
document hash (76). m the signing f device (18) with a private* key of the user stored in the 
5 signing device( 184b) ^ and . ; ' ' - r\ - ;> * 

i „ • ■ - sending the "digital isigtlature from^he signitig device to a recipient. 

; *13^ ' ; A .method as claimedrih Claim 12/whereul said combination furtte 
^usj^identiQingcdata(184c);u^j^.>K b^ ' . i \. ~o j\ 

- 14.: > - J A method as claimedin Claim IS, wherein the user identifying data is derived 
from a passphrase or from biometric information. - " " 
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